• GRE and VXLAN tunnel acceleration—Supported on PA-3200 Series firewalls and PA-7000 Series firewalls with PA-7000-NPC and SMC-B.
• GTP-U tunnel acceleration—Supported on PA-7000 Series firewalls with PA-7000-NPC and SMC-B. For GTP-U tunnel traffic to have tunnel acceleration, Tunnel Acceleration must be enabled, GTP must be enabled, no tunnel content inspection (TCI) policy rules for GTP-U protocol can be configured, and a Security policy rule with a Mobile Network Protection profile attached must allow the GTP traffic.

• Current Device Certificate Status—The current status of device certificate (Valid, Invalid, or Expired)
• Not Valid Before—Timestamp indicating when the device certificate validity begins.
• Not Valid After—Timestamp indicating when the device certificate validity expires and the device certificate becomes Invalid or Expired.
• Last Fetched Message—Message displaying the whether the device certificate is successfully installed or if the device certificate installation failed.
• Last Fetched Status—The status of fetching the device certificate (success or failed).
• Last Fetched Timestamp—Timestamp of the last device certificate installation attempt.

• RADIUS
• TACACS+
• SAML

• None (default)—No device certificate is configured and the default predefined certificate is used.
• Local—The firewall uses a local device certificate and the corresponding private key generated on the firewall or imported from an existing enterprise PKI server.
  • Certificate—Select the local device certificate you generated or imported. This certificate can be unique to the firewall (based on a hash of the serial number of that firewall) or it can be a common device certificate used by all firewalls that connect to Panorama.
  • Certificate Profile—Select the Certificate Profile from the drop-down. The Certificate Profile defines the CA certificate for verifying client certificates and how to verify certificate revocation status.
• SCEP—The firewall uses a device certificate and private key generated by a Simple Certificate Enrollment Protocol (SCEP) server.
  • SCEP Profile—Select a Device > Certificate Management > SCEP from the drop-down. The SCEP Profile provides Panorama with the necessary information to authenticate client devices against a SCEP server in your enterprise PKI.
  • Certificate Profile—Select the Device > Certificate Management > Certificate Profile from the drop-down. The Certificate Profile defines the CA certificate for verifying client certificates and how to verify certificate revocation status.

• Customize Communication—The firewall uses its configured custom certificate to authenticate with the selected devices.
  • Panorama Communication—The firewall uses the configured client certificate for communication with Panorama.
  • PAN-DB Communication—The firewall uses the configured client certificate for communication with a PAN-DB appliance.
  • WildFire Communication—The firewall uses the configured client certificate for communication with a WildFire^® appliance.
  • Log Collector Communication—The firewall uses the configured client certificate for communication with a Log Collector.
  • Check Server Identity—(Panorama and Log Collector Communication only) The firewall confirms the identify of the server by matching the common name (CN) with the IP address or FQDN of the server.

• Custom Certificate Only—When enabled, Panorama accepts only custom certificates for authentication with managed firewalls and Log Collectors.
• SSL/TLS Service Profile—Select an SSL/TLS service profile from the drop-down. This profile defines the certificate and supported SSL/TLS versions that the firewall can use to communicate with Panorama.
• Certificate Profile—Select a certificate profile from the drop-down. This certificate profile defines certificate revocation-checking behavior and the root CA used to authenticate the certificate chain presented by the client.
• Authorization List—Add and configure a new authorization profile using the following fields to set the criteria for authorizing client devices that can connect to Panorama. The Authorization List supports a maximum of 16 profile entries.
  • Identifier—Select Subject or Subject Alt. Name as the authorization identifier.
  • Type—If you selected Subject Alt. Name as the Identifier, then select IP, hostname, or e-mail as the identifier type. If you selected Subject, then you must use common name as the identifier type.
  • Value—Enter the identifier value.
• Authorize Clients Based on Serial Number—Panorama authorizes client devices based on a hash of the device serial number.
• Check Authorization List—Panorama checks client device identities against the authorization list. A device need match only one criterion on the list to be authorized. If no match is found, the device is not authorized.
• Disconnect Wait Time (min)—The amount of time (in minutes) that Panorama waits before terminating the current connection with its managed devices. Panorama then reestablishes connections with its managed devices using the configured secure server communications settings. The wait time begins after you commit the secure server communications configuration.

• Predefined (default)—No device certificate is configured and Panorama uses the default predefined certificate.
• Local—Panorama uses a local device certificate and the corresponding private key generated on the firewall or imported from an existing enterprise PKI server.
  • Certificate—Select the local device certificate.
  • Certificate Profile—Select the Certificate Profile from the drop-down.
• SCEP—Panorama uses a device certificate and private key generated by a Simple Certificate Enrollment Protocol (SCEP) server.
  • SCEP Profile—Select a SCEP Profile from the drop-down.
  • Certificate Profile—Select the Certificate Profile from the drop-down.
• Customize Communication
  • HA Communication—Panorama uses the configured client certificate for HA communication with its HA peer.
  • WildFire Communication—Panorama uses the configured client certificate for communication with a WildFire appliance.

• Quota—The Quota, as a percentage, allocated on the hard disk for log storage. When you change a Quota value, the associated disk allocation changes automatically. If the total of all the values exceeds 100%, a message appears in red and an error message will appear if you try to save the settings. If this happens, adjust the percentages so that the total is within the 100% limit.
  VM-Series firewalls by default have a 0% quota allocated for SCTP log storage, SCTP Summary, Hourly SCTP Summary, Daily SCTP Summary, and Weekly SCTP Summary, so you must allocate some percentage for these firewalls to log SCTP information.
• Max Days—The length (in days) of the log expiration period (range is 1 to 2,000). The firewall or Panorama appliance automatically deletes logs that exceed the specified period. By default, there is no expiration period, which means logs never expire.
  The firewall or Panorama appliance evaluates logs during creation of the logs and then deletes logs that exceed the expiration period or quota size.

• Core Files—If your firewall experiences a system process failure, it will generate a core file that contains details about the process and why it failed. If a core file is too large for the default core file storage location (/var/cores partition), you can enable the large-core file option to allocate an alternate and larger storage location (/opt/panlogs/cores). A Palo Alto Networks support engineer can increase the allocated storage if needed.

# set deviceconfig setting management large-core [yes|no]

> scp export core-file large-corefile

• Restore Defaults—Select this option to revert to the default values.

• Session Log Storage—Select Session Log Quota and set the quotas and expiration periods for Traffic, Threat, URL Filtering, HIP Match, User-ID, GTP/Tunnel, SCTP, and Authentication logs, as well as Extended Threat PCAPs.
• Management Log Storage—Set quotas and expiration periods for System, Config, and App Stats logs, as well as for HIP Reports, Data Filtering Captures, App PCAPs, and Debug Filter PCAPs.

• PA-5200 Series and PA-7000 Series firewalls—Select Multi Disk Storage and configure the settings in the Session Log Storage and Management Log Storage tabs.
  PA-5200 Series firewalls by default have a 0% quota allocated for SCTP log storage, SCTP Summary, Hourly SCTP Summary, Daily SCTP Summary, and Weekly SCTP Summary, so you must allocate some percentage for these firewalls to log SCTP information.
• All other firewall models—Select Single Disk Storage, select Session Log Quota, and configure the settings on the Log Storage tab.

• Number of Versions for Config Audit—Enter the number of configuration versions to save before discarding the oldest ones (default is 100). You can use these saved versions to audit and compare changes in configuration.
• Number of Versions for Config Backups—(Panorama only) Enter the number of configuration backups to save before discarding the oldest ones (default is 100).
• Max Rows in CSV Export—Enter the maximum number of rows that will appear in the CSV reports generated when you Export to CSV from the traffic logs view (range is 1 to 1,048,576; default is 65,535).
• Max Rows in User Activity Report—Enter the maximum number of rows that is supported for the detailed user activity reports (range is 1 to 1,048,576; default is 5,000).

• Average Browse Time (sec)—Configure this variable to adjust how the browse time is calculated in seconds for the Monitor > PDF Reports > User Activity Report (range is 0 to 300 seconds; default is 60).
  The calculation will ignore sites categorized as web advertisements and content delivery networks. The browse time calculation is based on container pages logged in the URL filtering logs. Container pages are used as the basis for this calculation because many sites load content from external sites that should not be considered. For more information on the container page, see Container Pages. The average browse time setting is the average time that the administrator thinks it should take a user to browse a web page. Any request made after the average browse time has elapsed will be considered a new browsing activity. The calculation will ignore any new web pages that are loaded between the time of the first request (start time) and the average browse time. This behavior was designed to exclude any external sites that are loaded within the web page of interest. Example: If the average browse time setting is 2 minutes and a user opens a web page and views that page for 5 minutes, the browse time for that page will still be 2 minutes. This is done because there is no way to determine how long a user views a given page.

• Page Load Threshold (sec)—Allows you to adjust the assumed time (in seconds) that it takes for page elements to load on the page (range is 0 to 60; default is 20). Any request that occurs between the first page load and the page load threshold is assumed to be elements of the page. Any requests that occur outside of the page load threshold is assumed to be the user clicking a link within the page. The page load threshold is also used in the calculations for the Monitor > PDF Reports > User Activity Report.
• Syslog HOSTNAME Format—Select whether to use the FQDN, hostname, or IP address (IPv4 or IPv6) in the syslog message header. This header identifies the firewall or Panorama management server where the message originated.
• Report Runtime—Select the time of day (default is 2 a.m.) when the firewall or Panorama appliance starts generating daily scheduled reports.
• Report Expiration Period—Set the expiration period (in days) for reports (range is 1 to 2,000). By default, there is no expiration period, which means reports never expire. The firewall or Panorama appliance deletes expired reports nightly at 2 A.M. according to its system time.

• Stop Traffic when LogDb full (Firewall only; disabled by default)—Select this option if you want traffic through the firewall to stop when the log database is full.
• Enable Threat Vault Access (enabled by default)—Enables the firewall to access the Threat Vault to gather the latest information about detected threats. This information is available for threat logs and for top threat activity charted on the ACC.
• Enable Log on High DP Load (Firewall only; disabled by default)—Select this option to specify that a system log entry is generated when the packet processing load on the firewall is at 100% CPU utilization.
  Enable Log on High DP Load allows administrators to investigate and identify the cause of high CPU utilization.

  A high CPU load can cause operational degradation because the CPU does not have enough cycles to process all packets. The system log alerts you to this issue (a log entry is generated each minute) and allows you to investigate for probable cause.

• Enable High Speed Log Forwarding (PA-5200 Series, PA-5450, and PA-7000 Series firewalls only; only enabled in the PA-5450 by default)—As a best practice, select this option to forward logs to Panorama at up to a maximum rate of 120,000 logs per second. When disabled, the firewall forwards logs to Panorama at a maximum rate of only 80,000 logs per second.
  If you enable this option, the firewall does not store logs locally or display them in the Dashboard, ACC, or Monitor tabs. Additionally, you must configure log forwarding to Panorama

  to use this option.

• Log Collector Status—Displays status of whether the firewall successfully established a connection to the Distributed Log Collection architecture and is sending logs to it. If the firewall is also configured to send logs to the Logging Service, verify the Logging Service Status, in the Logging Service section.

• Buffered Log Forwarding from Device (enabled by default)—Allows the firewall to buffer log entries on its hard disk (local storage) when it loses connectivity to Panorama. When the connection to Panorama is restored, the firewall forwards the log entries to Panorama; the disk space available for buffering depends on the log storage quota for the firewall model and the volume of logs that are pending roll over. If the available space is consumed, the oldest entries are deleted to allow logging of new events.
  Enable Buffered Log Forwarding from Device to help prevent loss of logs if the connection to Panorama goes down.
• Get Only New Logs on Convert to Primary (disabled by default)—This option applies only to a Panorama virtual appliance in Legacy mode that writes logs to a Network File System (NFS). With NFS logging, only the primary Panorama is mounted to the NFS. Therefore, the firewalls send logs only to the active primary Panorama. This option enables you to configure firewalls to send newly generated logs only to Panorama when an HA failover occurs and the secondary Panorama resumes logging to the NFS (after it is promoted as primary). This option is typically enabled to prevent firewalls from sending a large volume of buffered logs when connectivity to Panorama is restored after a significant period of time.
• Only Active Primary Logs to Local Disk (disabled by default)—This option applies only to a Panorama virtual appliance in Legacy mode. This option enables you to configure only the active Panorama to save logs to the local disk.

• Pre-Defined Reports (enabled by default)—Pre-defined reports for application, traffic, threat, URL Filtering, and Stream Control Transmission Protocol (SCTP) are available on the firewall and on Panorama. Pre-defined reports for SCTP are available on the firewall and Panorama after SCTP Security is enabled in DeviceSetupManagementGeneral Settings.
  Because the firewalls consume memory resources in generating the results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing), to reduce memory usage, you can disable the reports that are not relevant to you. To disable a report, disable this option for the report.
  Click Select All or Deselect All to entirely enable or disable the generation of pre-defined reports.
  Before disabling a report, verify that there isn’t a Group Report or a PDF Report using it. If you disable a predefined report assigned to a set of reports, the entire set of reports will have no data.
• Log Admin Activity (disabled by default)—Specify whether to generate an audit log when an administrator executes an operational command in the firewall CLI or navigates through the web interface. You must first successfully configure a syslog server before you can generate and forward an audit log.
  • Operational Commands—Generate an audit log when an administrator executes an operational or debug command in the CLI or an operational command that is triggered from the web interface. See the CLI Operational Command Hierarchy for a full list of PAN-OS operational and debug commands.
  • UI Actions—Generate an audit log when an administrator navigates throughout the web interface. This includes navigation between configuration tabs, as well as between individual objects within a tab. For example, an audit log is generated when an administrator navigates from the ACC to the Policies tab. Additionally, an audit log is generated when an administrator navigates from ObjectsAddresses to ObjectsTags.
  • Syslog Server—Select the target syslog server profile to forward audit logs.

• IPv6 Address—The IPv6 address of the log interface port.
• IPv6 Default Gateway—The IPv6 address of the default gateway for the port.

• None (default)
• Error
• Help
• Information
• Warning

• License—OK or Error to indicate whether the firewall has a valid license to forward logs to Strata Logging Service.
• Certificate—OK or Error to indicate whether the firewall successfully fetched the certificate required to authenticate to Strata Logging Service.
• Customer Info—OK or Error to indicate whether the firewall has the required customer identification number to use Strata Logging Service. When the status is OK, you can see the customer identification number as well.
• Device Connectivity—Indicates whether the firewall is successfully connected to Strata Logging Service.